Preferred partition scheme for Linux file system

This article is designed to with Ubuntu Linux in mind and more specifically newer releases like 12.04 – 14.04

In past I have been using single partition starting from / for all my installation but later I realized its high importance of creating multiple partition. This is not a definitive answer for all the cases.

we have to create at-lease four partition dedicated to Linux system

/ – 5 GB
/usr – 25 GB (user binaries, libs and apps)
/home – 10 GB (if required adjust it later)
/var – 5 GB (for log files, mails, mysql database)
/swap – (1 – 2) x RAM size

simplified understanding of crypto currencies – bitcoins

This is a simplified explanation on how crypto currencies (such as Bitcoin) work. This is article is intended to decipher the fundamentals of crypto currencies in relation to traditional monetary system which many of us find difficult to grasp. Note that a digital currency is not a radically new way of doing commerce but since the time we started using internet banking where there is no transfer of physical money can be though as one step earlier from the concept of todays crypto currency.

To understand this fully you need very basic knowledge of software encryption concept, if you dont then please do a Google for quick primer. In the later part of this article I might use the terms digital currency or crypto currency interchangeably.

First we should ask a question to ourselves: How to have a given type of monetary system successfully work for a regular transactions? what are the fundamental requirements?

REQUIREMENTS
To make this understanding easier It is good to depict a commercial exchange between just TWO parties, later we will deal more complex system where network of computer are involved for verification and integrity of digital currency which is analogous to banking system.

1. A payer of who owns some money.
2. A receiver who needs to be paid.
3. Physical or otherwise type of object accepted by both parties as currency. This can hold a certain monetary value.

In digital currency a payer and receivers are NOT directly humans but software application (such as bitcoin wallet) running on PCs or it can be a mobile device too. Now coming to third and most important the currency itself, in traditional commercial exchange we have paper & metal based currencies but in digital world we are naturally going to use computer files (in a special format) because everything in computer world is a file. Here comes the difficult part, compare with earlier with a paper based currency which is a physical object only governments can produce them and in case if I give you one dollar my wallet has 1 dollar less.. naturally!

Now how do we mimic the same process in digital currency, everyone knows that computer files are not physical object but they a pattern of dots in magnetic harddisk. They can be copied and replicated without destroying the original copy. This throws a most fundamental requirement for a crypto currency? that is.

1. A unit of digital currency is usually never be Created (currency mining is an exception) Destroyed or Modified (few exceptions) – immutable.
2. A transfer of digital currency should be synchronized, this is like If I copy digital currency (a computer file) to your pc, my file should automatically get removed.

That was for easy understanding however most cases transfer of digital currency would take place within internet. Also deleting a file doesn’t mean that deleting a crypto currency file from file system but if you can simply change the value to 0, that is equally workable.

Lets go back to our previous example of just two person (PCs) A and B. lets assume that God has already created 5 dollar worth crypto currency at the time person A bought his PC. Now how do we achieve above two requirements?

First thing is I should not manually copy my currency to other PC rather use an authorized application to do that automatically unset the original file at A when it has been copied to destination B. This looks nice at first but it is not a full proof way of doing so. First of all this system is 100% dependent on software application which would should be only made by single authority. Second problem is if somebody hacks into this software he can gain the access to limitless crypto currency as he would keep transferring money but his own balance would never drain off.

Having a software application (call it wallet or client) for managing digital currency is a necessity but it does not fulfill our needs.So what do we do? Hint:- there has to be some mechanism incorporated in currency (File) itself, so that it can validate itself, prevent forgery etc. Wait this is going to fast..! let us return to our previous two requirements.

Anybody who knows the basics of encryption knows that encryption is used hide the information except from the intended recipient. Not just that but by using encryption we can make our information immutable, as nobody can see it no body can modify it! This means in my currency file instead of putting 5 dollar I should encrypt the value before storing. So now encryption is the most basic requirement for digital currency to function.

Secure server setup checklist

Following guide steps through checklist for setting up a better secure dedicated or VPS server (or web server), I have used ubuntu 12.04 in this example. if any loop holes are leftover server can be doomed by hackers.

# disable root account for ssh

# enable public key authentication

# install vsftpd server and make sure plain ftp is not enabled.

# all newly created unix username must be non-predictable, such as dont use like ftp, www, user etc.

# disable apache autoindex module so that no directory listing is possible by default.

# disable apache server signature edit the conf.d/security following lines
ServerSignature Off
ServerTokens Prod

# web folder permission
for directories 755
for files 644

# use tools like linode’s longview cpu/mem consumption history tracking process wise

[Postfix]
Create virtual host http://www.berkes.ca/guides/postfix_virtual.html

# lock down postfix mail server to stop spammers using your email server
disable php mail() function
check for open relays

http://www.mailradar.com/openrelay/

make sure if any apache webapps has insecure form that sends mail

# install fail2ban and configure with following guide:
follow guide: http://stuffphilwrites.com/2013/03/permanently-ban-repeat-offenders-fail2ban/

# make sure no insecure file upload form exist
# check for mimetype
# check for file extension
# check for file size
# check for getimagesize() return not false

# check apache log file such as other_vhosts_access.log for week
# check if any php file uploaded
# check if web request to suspicious php file is made
# monitor the server web directory for newly created/modified file
# find /some/path/ -cmin -20 (time 20 is in minute)
# -cmin/-mmin etc

# if required disable certain urls virtual hosts file by adding following insdei VirtualHost tag


RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-login.php [NC]
RewriteRule ^.*$ – [F,L]

# use captch for any open web forms

# if there are wordpress site change admin account name to something non-predictable

# protecting wordpress sites
# update wordpress
# rename default admin username to something else

# follow the article http://kovshenin.com/2014/fail2ban-wordpress-nginx/
# basically we use fail2ban for this, create a wp plugin that generate 403 response code upon auth failure
# this is logged in apache log files
# then create a wodpress filter and action for fail2ban
# add the filter and action to /etc/fail2ban/jail.conf

[Logging]
# stop cron job log message from appearing in auth.log files (better visibility)
1. cd /etc/pam.d/
2. open “common-session-noninteractive” and above line “session required pam_unix.so”
3. add below line
3. session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid
4. service cron restart

Intrusion detection

1. using maldet, install maldet and run the following commnand in a new screen session
# maldet -a /
# look the report for malware files it generates at the end

2. install and run rkhunter scan (it will find out possible rootkits in your system)
# if you see some of warnings like “/bin/which’ has been replaced by a script:”
# do ls -l and check dates of those files in bin or sbin folders

3. install clamav virus/malware detection software
# apt-get install clamav

4. follow checklist http://www.slideshare.net/anton_chuvakin/anton-chuvakin-on-discovering-that-your-linux-box-is-hacked

5. install and run tripwire